New Android threats could turn some phones into remote bugging devices

Researchers have recently uncovered two unrelated threats that have the potential to turn some Android devices into remotely controlled bugging and spying devices.

The first risk, according to researchers at antivirus provider Bitdefender, comes in the form of a software framework dubbed Widdit, which developers for more than 1,000 Android apps have used to build revenue-generating advertising capabilities into their wares. Widdit includes a bare-bones downloader that requests a host of Android permissions it doesn't need at the time of installation.

"These permissions are not necessarily used by the SDK [software development kit], but requesting them ensures that anything introduced later in the SDK will work out of the box," Bitdefender researchers Vlad Bordianu and Tiberius Axinte wrote in a blog post published Tuesday. "Among the weirdest permissions we saw are permissions to disable the lock screen, to record audio, or to read browsing history and bookmarks."

Another odd privilege acquired by apps that bundle Widdit: they can execute specific code when a device reboots, receives a text message, or places a call, or when an app is installed or uninstalled. What's more, Widdit uses an unencrypted HTTP channel to download application updates, a design decision that allows attackers on unsecured Wi-Fi networks to replace legitimate updates with malicious files. The man-in-the-middle vulnerability isn't unique to Widdit. In September, researchers said that many mostly older Android apps are also susceptible. Bitdefender has identified about 1,640 apps in the official Google Play app marketplace that included the framework. So far, only 1,122 of them have been removed.

An unrelated malware family discovered by researchers from Lookout Security, another provider of Android threat detection software, has the ability to make phone calls with no user interaction, a capability the firm has never seen before. At the moment, MouaBad.p appears to use that capability to dial pricey premium numbers, but there's nothing stopping its developers from using it to snoop on infected users, particularly given the stealth built into the app.

"In addition to never-before-seen functionality, MouaBad.p is particularly sneaky and effective in its aim to avoid detection," the Lookout researchers wrote. "For example, it waits to make its calls until a period of time after the screen turns off and the lock screen activates. MouaBad.p also end[s] the calls it makes as soon as a user interacts with their device (e.g. unlocks it)."

Fortunately, the risk of most Android users getting infected by MouaBad.p is low since it's found mostly in Chinese-speaking regions and works only on devices running Android version 3.1 or older. Furthermore, the command and control servers that infected devices connect to weren't responding at press time. Still, MouaBad.p—which appears to take initial hold of devices through a "dropper" app that loads a hidden payload in the background—gives an idea of the type of stealth and growing sophistication possible in mobile-based malware.

As always, Ars advises readers to think long and hard before changing default Android settings restricting the installation of apps available in marketplaces other than Google Play. Android users should also consider using an antimalware app from a reputable provider.

Promoted Comments

Android users should also consider using an antimalware app from a reputable provider

So you're telling us that there's now enough Android malware that the battery drain of running a full-time antimalware app is unequivocally justified?

The advice is to consider using an antimalware app. The article never said using an antimalware app is unequivocally justified." Online discussions on Ars are more productive when people don't mischaracterize what other people say.

Er, sorry Dan! I don't know how the word "unequivocally" got in there. I must have been talking to somebody or thinking about a post in another tab when I typed it. No intent to mischaracterize. I'll make an edit.

Quote:

Your post has me curious. Have you ever used an antimalware app? If so, did you compare different apps? And what effect did it/they have on the life of your battery?

Yes, but unfortunately this was probably a couple years ago, I didn't record any of the results, and I was tinkering with alternative ROMs around the same timeframe. But I do know I tried AVG and Lookout at minimum (yes, separately). If my fuzzy memory serves, they did (subjectively of course) seem to slow my Droid 2 and use a fair bit more battery. I know that's not exactly rigorous. This was when mobile antivirus was new, before AVG's hijinks on Windows phone (there were also essentially no Android viruses at the time, IIRC).

If you are paranoid and have 4.3, look up app ops. It's hidden, but it is built into the OS, and along with denying any permission you want, it actually tells you if an app has made use of such permissions you granted it. You can use Nova launcher to get to it, or other apps.

Google has made it harder to find it in 4.4, and in 4.4.2, they got rid of it again, but hopefully when ready, it will be made available for anyone to use.

The problem is many of these phones are used by children and others who have little idea what they are doing.

While it's not yet available on phones (really, Google?), the User Profiles support in Android 4.3+ mitigates this. Create a "kids" profile, restrict access to only already-installed apps, and carry on.

Android's permissions stuff would be far more useful if it worked on a request basis: each app requests whatever set of permissions (either at install or run time), and the user gets to grant or deny those permissions individually. As it stands, the all-or-nothing approach isn't that useful, and often ends up with me opting for the "nothing" end of the spectrum on my Nexus 7 when an app requests a laundry list of permissions.

To give them their due, Apple at least breaks this down into separate permissions for location, contacts, etc. It was ridiculous that it took them bloody ages to get round to doing *anything* about it, but by and large their system now works fairly well.

Android's permissions stuff would be far more useful if it worked on a request basis: each app requests whatever set of permissions (either at install or run time), and the user gets to grant or deny those permissions individually. As it stands, the all-or-nothing approach isn't that useful, and often ends up with me opting for the "nothing" end of the spectrum on my Nexus 7 when an app requests a laundry list of permissions.

There are multiple apps available to do just this. Most require a rooted device, though. And the capability is coming in Android itself (some custom ROMs have it built-in already).

Install the app, scan the permissions list, then go into the permissions app and block the ones you don't want.

Android's permissions stuff would be far more useful if it worked on a request basis: each app requests whatever set of permissions (either at install or run time), and the user gets to grant or deny those permissions individually. As it stands, the all-or-nothing approach isn't that useful, and often ends up with me opting for the "nothing" end of the spectrum on my Nexus 7 when an app requests a laundry list of permissions.

There are multiple apps available to do just this. Most require a rooted device, though. And the capability is coming in Android itself (some custom ROMs have it built-in already).

I've done this in ROMs, but can you give examples of good apps for this? I REALLY hate the all-or-nothing permission system.

EDIT: I'm currently stuck in Gingerbread (on a Droid 2), so apps for Android 4.4 don't help me.

Android's permissions stuff would be far more useful if it worked on a request basis: each app requests whatever set of permissions (either at install or run time), and the user gets to grant or deny those permissions individually. As it stands, the all-or-nothing approach isn't that useful, and often ends up with me opting for the "nothing" end of the spectrum on my Nexus 7 when an app requests a laundry list of permissions.

To give them their due, Apple at least breaks this down into separate permissions for location, contacts, etc. It was ridiculous that it took them bloody ages to get round to doing *anything* about it, but by and large their system now works fairly well.

Look at my post about that - read up on it here - it is very extensive.

Kinda reminds me of Dropbox. I've been skipping updates for a while because I have zero interest in the sharing and other crap that it enables, and have no other way of declining those permissions.

I would like to see permissions split into "necessary" and "optional". Dropbox, for instance, would require access to storage and network communication, probably a few others (sync, so it uses the phone's sync settings? Not sure); optional would be crap like contacts and camera.

Android users should also consider using an antimalware app from a reputable provider

So you're telling us that there's now enough Android malware that the battery drain of running a full-time antimalware app is unequivocally justified?

The advice is to consider using an antimalware app. The article never said using an antimalware app is unequivocally justified." Online discussions on Ars are more productive when people don't mischaracterize what other people say.

Your post has me curious. Have you ever used an antimalware app? If so, did you compare different apps? And what effect did it/they have on the life of your battery?

Updated to make clear I'm not suggesting someone run more than one antimalware app at the same time.

This is why when an app requests unexpected permissions, if the description in the appstore doesn't say why, I decline and move on.

That seems a bit silly to me, since the permissions on Android are designed in such a way that you can go down the list on almost any app and over half of them will not seem to have anything to do with what the app does, yet are still required for some asinine reason. My favorite is still requiring the record audio permission in order to use the system EQ.

The vast majority of good developers wouldn't ask for the world if permissions weren't a free "get out of exception" card. Say the base store cut for an app sale is 25%, and permissions cost a few percent to add on. The pricing would follow according to how dangerous/popular with blackhats a perm is, all the way up to a whopper for root.

Once the honest, but lazy guys stop pissing in the permissions pool, it'll be a lot easier for the ($PLATFORM) App Store to tell which apps really need a closer look. (Of course, this assumes that your platform even has users willing to pay for software. Oh dear.)

I would like to see permissions split into "necessary" and "optional". Dropbox, for instance, would require access to storage and network communication, probably a few others (sync, so it uses the phone's sync settings? Not sure); optional would be crap like contacts and camera.

Unless there is an incentive for app vendors to respect that policy, it won't make a difference. No development manager is going to support giving the customers this kind of choice. It increases development and testing time, increases customer complaints and support costs when customers prohibit permissions for features they actually want, and allows customers to disable features that the marketing department wants to promote for their own silly reasons.

The only people who would use this feature are small/one-man dev teams targeting power users that are likely to pay attention to the permissions requested. But those people are already pretty careful about what they request.

pen_sq's idea of charging developers based on which permissions the require might work. A few percent in gross revenue for being a little careful about your permissions could be a big deal for a lot of developers. There are several issues to make it work, but at least it is a start.

Android users should also consider using an antimalware app from a reputable provider

So you're telling us that there's now enough Android malware that the battery drain of running a full-time antimalware app is unequivocally justified?

The advice is to consider using an antimalware app. The article never said using an antimalware app is unequivocally justified." Online discussions on Ars are more productive when people don't mischaracterize what other people say.

Er, sorry Dan! I don't know how the word "unequivocally" got in there. I must have been talking to somebody or thinking about a post in another tab when I typed it. No intent to mischaracterize. I'll make an edit.

Quote:

Your post has me curious. Have you ever used an antimalware app? If so, did you compare different apps? And what effect did it/they have on the life of your battery?

Yes, but unfortunately this was probably a couple years ago, I didn't record any of the results, and I was tinkering with alternative ROMs around the same timeframe. But I do know I tried AVG and Lookout at minimum (yes, separately). If my fuzzy memory serves, they did (subjectively of course) seem to slow my Droid 2 and use a fair bit more battery. I know that's not exactly rigorous. This was when mobile antivirus was new, before AVG's hijinks on Windows phone (there were also essentially no Android viruses at the time, IIRC).

Kinda reminds me of Dropbox. I've been skipping updates for a while because I have zero interest in the sharing and other crap that it enables, and have no other way of declining those permissions.

I would like to see permissions split into "necessary" and "optional". Dropbox, for instance, would require access to storage and network communication, probably a few others (sync, so it uses the phone's sync settings? Not sure); optional would be crap like contacts and camera.

All of which you describe is available now on iOS 7. You can go under Settings -> Privacy and enable/disable an app's access to everything from location to contacts, photos, microphone, etc.

iOS 7 will even tell you which apps have requested permission before, but have been denied, so you might be able to change your mind in the future. Don't want DropBox to have access to your camera/photos, don't let it! No reason to skip updates an lose out on application fixes.

As far as the necessary/optional part, go ahead and disable permissions, and then go see how the app performs. If it doesn't do what you want it to without the permissions, and you don't want to give it permission, then there's probably either an issue with the app, or issues with your expectations of the app given your comfort with how much of your phone's capabilities you're willing to allow.

If you're using iOS 6 or have a jailbroken phone, or are on Android, I can't help you. But I just wanted to point out what you want exists in iOS form.

Android users should also consider using an antimalware app from a reputable provider

So you're telling us that there's now enough Android malware that the battery drain of running a full-time antimalware app is unequivocally justified?

The advice is to consider using an antimalware app. The article never said using an antimalware app is unequivocally justified." Online discussions on Ars are more productive when people don't mischaracterize what other people say.

Er, sorry Dan! I don't know how the word "unequivocally" got in there. I must have been talking to somebody or thinking about a post in another tab when I typed it. No intent to mischaracterize. I'll make an edit.

Quote:

Your post has me curious. Have you ever used an antimalware app? If so, did you compare different apps? And what effect did it/they have on the life of your battery?

Yes, but unfortunately this was probably a couple years ago, I didn't record any of the results, and I was tinkering with alternative ROMs around the same timeframe. But I do know I tried AVG and Lookout at minimum (yes, separately). If my fuzzy memory serves, they did (subjectively of course) seem to slow my Droid 2 and use a fair bit more battery. I know that's not exactly rigorous. This was when mobile antivirus was new, before AVG's hijinks on Windows phone (there were also essentially no Android viruses at the time, IIRC).

Thanks for the reply, Moonshark.

Your experience with AVG and Lookout are interesting. I haven't noticed a slowdown when I ran Lookout, but then again, I wasn't very methodical in how I went about measuring things. If antimalware apps have an appreciable effect on speed or battery life, that's obviously going to make them less appealing to users.

In any event, I'm not sure antimalware apps make sense for everyone, but for those people who install lots and lots of apps, there may be a benefit. Bitdefender's app, for instance, automatically flags apps that run Widdit. Assuming the app or others like it truly does come with a performance or battery-life penalty, it may nonetheless be worth it to some people.

Android users should also consider using an antimalware app from a reputable provider

So you're telling us that there's now enough Android malware that the battery drain of running a full-time antimalware app is unequivocally justified?

The advice is to consider using an antimalware app. The article never said using an antimalware app is unequivocally justified." Online discussions on Ars are more productive when people don't mischaracterize what other people say.

Er, sorry Dan! I don't know how the word "unequivocally" got in there. I must have been talking to somebody or thinking about a post in another tab when I typed it. No intent to mischaracterize. I'll make an edit.

Quote:

Your post has me curious. Have you ever used an antimalware app? If so, did you compare different apps? And what effect did it/they have on the life of your battery?

Yes, but unfortunately this was probably a couple years ago, I didn't record any of the results, and I was tinkering with alternative ROMs around the same timeframe. But I do know I tried AVG and Lookout at minimum (yes, separately). If my fuzzy memory serves, they did (subjectively of course) seem to slow my Droid 2 and use a fair bit more battery. I know that's not exactly rigorous. This was when mobile antivirus was new, before AVG's hijinks on Windows phone (there were also essentially no Android viruses at the time, IIRC).

Thanks for the reply, Moonshark.

Your experience with AVG and Lookout are interesting. I haven't noticed a slowdown when I ran Lookout, but then again, I wasn't very methodical in how I went about measuring things. If antimalware apps have an appreciable effect on speed or battery life, that's obviously going to make them less appealing to users.

In any event, I'm not sure antimalware apps make sense for everyone, but for those people who install lots and lots of apps, there may be a benefit. Bitdefender's app, for instance, automatically flags apps that run Widdit. Assuming the app or others like it truly does come with a performance or battery-life penalty, it may nonetheless be worth it to some people.

Thanks again for your response!

It would be great to see Ars run a detailed article on the current crop of anti-malware apps and their strengths and weaknesses.

Fortunately, the risk of most US Android users getting infected by MouaBad.p is theoreticallow since today it's found mostly in Chinese-speaking regions and works only on devices running Android version 3.1 or older.

FTFY. Last stats I saw suggest that a quarter of Android users are on 2.3 or earlier. This article didn't offer any reason why malware authors would disdain a toolkit simply because it's of Chinese origin, and I couldn't think of one, either.

The problem I have with most mobile anti virus is that they try to make to remove programs telling you that it is infected with some kind of malware but gives no information on it further than the name of the malware.

I live in China and use many Chinese programs from the play store. Avast gets all hot and bothered about me having Weibo installed because it claims it has some kind of ad framework in it. The only options I get are to delete it or report it as a false positive. It gives me zero information about what is doing and what it could be doing so I have no idea how to evaluate it's claim.

I've been utilizing avast! on my phone, and I don't notice any performance degradation. I would also like to have more control over what apps can and can not do on my device, but unfortunately, then you run the risk of "breaking" an app (such as games that "require" network connections to function properly). If it's an app I'm not entirely certain of the full function and it asks for a ton of permissions, I just don't download it, but that's just me.

The problem I have with most mobile anti virus is that they try to make to remove programs telling you that it is infected with some kind of malware but gives no information on it further than the name of the malware.

I live in China and use many Chinese programs from the play store. Avast gets all hot and bothered about me having Weibo installed because it claims it has some kind of ad framework in it. The only options I get are to delete it or report it as a false positive. It gives me zero information about what is doing and what it could be doing so I have no idea how to evaluate it's claim.

It gives you zero information because there is no information to provide. I have tested a couple of these apps -- all they do is list ad frameworks and the apps that use them. So what, I knew I was installing an ad supported app, why is it that suddenly I should be surprised it actually displays ads? Seriously that's such a non-issue.

Kinda reminds me of Dropbox. I've been skipping updates for a while because I have zero interest in the sharing and other crap that it enables, and have no other way of declining those permissions.

I would like to see permissions split into "necessary" and "optional". Dropbox, for instance, would require access to storage and network communication, probably a few others (sync, so it uses the phone's sync settings? Not sure); optional would be crap like contacts and camera.

From memory, once upon a time in the distant past there was a 'required=true/false' attribute for permissions, but only the 'required=true' state was supported, and it was assumed if not present.

I actually think this is something that BB10 got right. You can disable any permission you want for any app and do so at your own risk. From the linked page:

Quote:

After you finish:Tip: If an app isn't working as you expect it to, consider setting all of the permissions the app requests to On.

Unless there is an incentive for app vendors to respect that policy, it won't make a difference. No development manager is going to support giving the customers this kind of choice. It increases development and testing time, increases customer complaints and support costs when customers prohibit permissions for features they actually want, and allows customers to disable features that the marketing department wants to promote for their own silly reasons.

There is no incentive to do it at the moment because there is no OS-supported way to disable permissions. (I think) if all permissions could be disabled in the OS, then there would be an incentive to flag which ones are optional simply to discourage people from being very aggressive in disabling permissions they didn't like.

I actually use XPrivacy these days, but AppOps were actually a really big step towards what should be in the OS.Both AppOps and XPrivacy:1. Tell you whether an app has actually used a permission or feature2. Allow you to disable use of a particular permission or feature

There is also LBE Privacy Guard, but it is closed source. What it does have over AppOps and XPrivacy is that you can set certain actions to 'prompt', which could be useful.Maybe a good balanced way to do permissions in Android would be to have the ability to set permissions to 'Allow' or 'Prompt' at installation time, and then when you are prompted you can choose to Allow Always, Allow, Reject, or Reject Always. There is a big difference between an app asking to read my contact list at installation time, and the same app asking to read my contact list when I click a 'send this to a friend' option.

I used avast on my android phone for a while and I didn't see any performance issues. However due to threats like this and the fact that the playstore doesn't appear to have very many controls in place to prevent malicious software from getting on the store, are a couple of reasons that I chose to switch to an iOS device. Although some may decry the amount of control that Apple has on their app store they don't have as many potential security issues as the Android platform does.

Android's permissions stuff would be far more useful if it worked on a request basis: each app requests whatever set of permissions (either at install or run time), and the user gets to grant or deny those permissions individually. As it stands, the all-or-nothing approach isn't that useful, and often ends up with me opting for the "nothing" end of the spectrum on my Nexus 7 when an app requests a laundry list of permissions.

There are multiple apps available to do just this. Most require a rooted device, though. And the capability is coming in Android itself (some custom ROMs have it built-in already).

I've done this in ROMs, but can you give examples of good apps for this? I REALLY hate the all-or-nothing permission system.

EDIT: I'm currently stuck in Gingerbread (on a Droid 2), so apps for Android 4.4 don't help me.

I haven't used any personally, so can't recommend them. I've just noticed them in passing in XDA posts.